[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: our ldm system



Frank,

I'm at the AMS this week.  It's sounds like you had an abnormal stop to
the LDM. I would suggest stopping  the LDM and then doing a :

% ps -eaf | grep ldm

and deleting all the ldm processes.  I believe the other rogue processes
are causing the abnormal situation. Also, you should do an:

% rpcinfo -p

and make sure that port 388 is not being used.

 Yes you can send me your login and
passwd, probably will not get a chance to look at it until FRI.

Robb...



On Sun, 9 Jan 2000, Frank Colby wrote:

> Robb,
> 
> Our ldm system seems to have lost its way, and I fear it has been hacked
> into.  There are a whole list of processes which are running that don't
> look familiar, and it cannot resolve internet addresses.  The ldm
> starts, but doesn't get any data, and ftp or telnet can't even find our
> vms systems, so if we did get data, the ftp process wouldn't work
> anyway.  I have two requests:
> 
> 1)  If I gave you a username and password to get onto the system, would
> you be willing to look at the processes that are running and see if it
> looks odd to you as well?  I am not a computer person, just a
> meteorology professor, and so I don't understand unix too well.  Our
> university has cut virtually all of the system people, so I dont' have
> any support.
> 
> 2)  If in fact the system is hacked, and I need to start with a clean
> operating system load, can you suggest ways to protect the system from
> another attack?
> 
> Thanks,
> 
> Frank Colby
> 
> PS  This is complicated by the fact that I am physically in Seattle, on
> sabbatical.  I am planning to return periodically to Massachusetts, but
> this is kind of my worst nightmare.
> 
> PPS  These problems only happened beginning on the 7th. of this month.
> 
> 
> 

===============================================================================
Robb Kambic                                Unidata Program Center
Software Engineer III                      Univ. Corp for Atmospheric Research
address@hidden             WWW: http://www.unidata.ucar.edu/
===============================================================================